As a lot of computers or other computing apparatuses are mutually connected via various networks such as Internet, it becomes more and more important to protect computers from intrusions or attacks via a network or information system. As intrusions or attacks, there are computer viruses, computer worms, system component changes, service denial attacks, and additionally, misapplications of legal computer system properties.
To prevent such network attacks, academic world and security enterprises provide firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network security methods using a technology of virtual private network (VPN).
Generally, as a method of recognizing a network security state, there are a method based on a traffic pattern occurring in a network and a method of using security events occurring from security apparatuses installed on a network. However, in the case of the method based on a traffic pattern, when the traffic pattern exceeds a certain amount based on a traffic amount, it is considered that stability of the network is affected. Accordingly, there is a restriction on analyzing an abnormal state by recognizing a correlation between generated traffic properties.
In the case of the method based on security events occurring from security apparatuses, generally, the development of a corresponding item is analyzed by displaying a ratio of one of a network address, a protocol, a port number, and the number of packets, which are characteristic information forming a security event, or a security state is visualized using a part of the characteristic information or a value obtained by contracting the characteristic information. Therefore, hitherto, since detailed contents of a present security state are not capable of being displayed in one screen and additional information is required to determined the present security state, it is difficult to an administrator to directly recognize a security event threatening the network by using the visualized security state. Accordingly, there is required a lot of time used to recognize and cope with a present abnormal state of the network in a conventional security state display apparatus, thereby increasing damages.
For this, it is required to provide a security state visualization device and method capable of allowing a present network security state to be directly recognized by effectively visualizing essential properties of a security event in one screen.